feat(paperless): change paperless OCR engine model from tesseract_fast to tesseract_best

false positive:
- nextcloud chunk problem (crowdsecurity/http-crawl-non_statics)
- change expression 'chunks.mjs' to 'chunk.mjs'

ansible/roles/app/tasks/services/set_paperless.yaml

@@ -57,8 +57,16 @@
     - "data/containers/paperless/consume"
     - "containers/paperless"
     - "containers/paperless/ssl"
+    - "containers/paperless/build"
   become: true
 
+- name: Deploy containerfile for build
+  ansible.builtin.template:
+    src: "{{ hostvars['console']['node']['config_path'] }}/services/containers/app/paperless/build/paperless.containerfile.j2"
+    dest: "{{ node['home_path'] }}/containers/paperless/build/Containerfile"
+    owner: "{{ ansible_user }}"
+    group: "svadmins"
+    mode: "0640"
 
 - name: Deploy root certificate
   ansible.builtin.copy:
@@ -72,6 +80,18 @@
   notify: "notification_restart_paperless"
   no_log: true
 
+- name: Build paperless container image
+  containers.podman.podman_image:
+    name: "{{ domain['internal'] }}/{{ node['name'] }}/paperless-ngx"
+    # check tags from container file
+    tag: "{{ version['containers']['paperless'] }}"
+    state: "build"
+    path: "{{ node['home_path'] }}/containers/paperless/build"
+
+- name: Prune paperless dangling images
+  containers.podman.podman_prune:
+    image: true
+
 - name: Register secret value to podman secret
   containers.podman.podman_secret:
     name: "{{ item.name }}"
@@ -129,8 +149,8 @@
   loop:
     - image: "docker.io/library/redis:{{ version['containers']['redis'] }}"
       file: "docker.io_library_redis_{{ version['containers']['redis'] }}"
-    - image: "ghcr.io/paperless-ngx/paperless-ngx:{{ version['containers']['paperless'] }}"
+    - image: "ilnmors.internal/{{ node['name'] }}/paperless-ngx:{{ version['containers']['paperless'] }}"
-      file: "ghcr.io_paperless-ngx_paperless-ngx_{{ version['containers']['paperless'] }}"
+      file: "ilnmors.internal_{{ node['name'] }}_paperless-ngx_{{ version['containers']['paperless'] }}"
   loop_control:
     label: "{{ item.file }}"
   register: container_archive_images

ansible/roles/common/tasks/services/set_alloy.yaml

@@ -74,3 +74,10 @@
     enabled: true
     daemon_reload: true
   become: true
+
+- name: Fetch deb bin file
+  ansible.builtin.fetch:
+    src: "/var/cache/apt/archives/alloy-{{ version['packages']['alloy'] }}.deb"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/bin/"
+    flat: true
+  become: true

ansible/roles/console/handlers/main.yaml

@@ -1,8 +1 @@
 ---
-- name: Register font
-  ansible.builtin.shell: |
-    fc-cache -f -v
-  become: true
-  changed_when: false
-  listen: "notification_update_font"
-  ignore_errors: true # noqa: ignore-errors

ansible/roles/fw/tasks/services/set_blocky.yaml

@@ -41,7 +41,7 @@
   ansible.builtin.get_url:
     url: "https://github.com/0xERR0R/blocky/releases/download/v{{ version['packages']['blocky'] }}/\
       blocky_v{{ version['packages']['blocky'] }}_Linux_x86_64.tar.gz"
-    dest: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}-x86_64.tar.gz"
+    dest: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}.tar.gz"
     owner: "blocky"
     group: "blocky"
     mode: "0600"
@@ -52,16 +52,16 @@
   ansible.builtin.get_url:
     url: "https://github.com/0xERR0R/blocky/releases/download/v{{ version['packages']['blocky'] }}/\
       blocky_v{{ version['packages']['blocky'] }}_Linux_arm64.tar.gz"
-    dest: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}-arm64.tar.gz"
+    dest: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}.tar.gz"
     owner: "blocky"
     group: "blocky"
     mode: "0600"
   become: true
   when: ansible_facts['architecture'] == "aarch64"
 
-- name: Deploy blocky binary file (x86_64)
+- name: Deploy blocky binary file
   ansible.builtin.unarchive:
-    src: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}-x86_64.tar.gz"
+    src: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}.tar.gz"
     remote_src: true
     dest: "/usr/local/bin/"
     owner: "root"
@@ -72,23 +72,6 @@
       - "--wildcards"
       - "blocky"
   become: true
-  when: ansible_facts['architecture'] == "x86_64"
-  notify: "notification_restart_blocky"
-
-- name: Deploy blocky binary file (aarch64)
-  ansible.builtin.unarchive:
-    src: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}-arm64.tar.gz"
-    remote_src: true
-    dest: "/usr/local/bin/"
-    owner: "root"
-    group: "root"
-    mode: "0755"
-    extra_opts:
-      - "--strip-components=0"
-      - "--wildcards"
-      - "blocky"
-  become: true
-  when: ansible_facts['architecture'] == "aarch64"
   notify: "notification_restart_blocky"
 
 - name: Deploy blocky config
@@ -141,3 +124,10 @@
     enabled: true
     daemon_reload: true
   become: true
+
+- name: Fetch deb bin file
+  ansible.builtin.fetch:
+    src: "/home/blocky/bin/blocky-{{ version['packages']['blocky'] }}.tar.gz"
+    dest: "{{ hostvars['console']['node']['data_path'] }}/bin/"
+    flat: true
+  become: true

config/services/containers/app/paperless/build/paperless.containerfile.j2

@@ -0,0 +1,13 @@
+FROM ghcr.io/paperless-ngx/paperless-ngx:{{ version['containers']['paperless'] }}
+
+USER root
+
+RUN apt-get update \
+  && apt-get install -y --no-install-recommends curl ca-certificates \
+  && curl -fsSL https://raw.githubusercontent.com/tesseract-ocr/tessdata_best/main/kor.traineddata \
+    -o /usr/share/tesseract-ocr/5/tessdata/kor.traineddata \
+  && curl -fsSL https://raw.githubusercontent.com/tesseract-ocr/tessdata_best/main/eng.traineddata \
+    -o /usr/share/tesseract-ocr/5/tessdata/eng.traineddata \
+  && rm -rf /var/lib/apt/lists/*
+
+USER paperless

config/services/containers/app/paperless/paperless.container.j2

@@ -8,7 +8,7 @@ After=redis_paperless.service
 Wants=redis_paperless.service
 
 [Container]
-Image=ghcr.io/paperless-ngx/paperless-ngx:{{ version['containers']['paperless'] }}
+Image=ilnmors.internal/app/paperless-ngx:{{ version['containers']['paperless'] }}
 ContainerName=paperless
 HostName=paperless
 PublishPort={{ services['paperless']['ports']['http'] }}:8000/tcp

config/services/systemd/common/crowdsec/bouncers/whitelists.yaml.j2

@@ -16,4 +16,6 @@ whitelist:
         - "evt.Meta.target_fqdn == '{{ services['immich']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains '/api/assets/' && evt.Meta.http_path contains '/thumbnail'"
         # nextcloud thumbnail/preview request error false positive
         - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' &&  evt.Meta.http_path startsWith '/index.php/core/preview?'"
+        # nextcloud chunks.mjs request false positive
+        - "evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status in ['200', '304'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains 'chunk.mjs'"
 {% endif %}

docs/issues/crowdsec/260502_nextcloud.md

@@ -23,11 +23,14 @@
 - 2026-05-03: Make previous expressions annotation
 - 2026-05-07: Find the false positive case, which is not on `crowdsecurity/nextcloud-whitelist`
 - 2026-05-07: Set whitelist expression
+- 2026-05-11: Find the false positive case, which is not on `crowdsec/nextcloud-whitelist`
+- 2026-05-11: Set whitelist expression
 
 ## Solution
 - Install crowdsecurity/nextcloud-whitelist on auth node
 - Add expression on whitelist
-  - evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' &&  evt.Meta.http_path startsWith '/index.php/core/preview?'
+  - evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status == '404' && evt.Meta.http_verb == 'GET' && evt.Meta.http_path startsWith '/index.php/core/preview?'
+  - evt.Meta.target_fqdn == '{{ services['nextcloud']['domain']['public'] }}.{{ domain['public'] }}' && evt.Meta.http_status in ['200', '304'] && evt.Meta.http_verb == 'GET' && evt.Meta.http_path contains 'chunk.mjs'
 
 ### Deprecated solution
 - Access to fw

docs/services/app/paperless-ngx.md

@@ -45,6 +45,11 @@ ALTER DATABASE paperless_db OWNER TO paperless;
       - "paperless"
 ```
 
+### Paperless custom build
+
+- paperless-ngx uses 'tesseract_fast' model
+- building custom container to use 'tesseract_best' model to improve OCR accuracy.
+
 ## Configuration
 
 ### Access to paperless